javascript-solid-server 0.0.71 → 0.0.72

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.71",
+  "version": "0.0.72",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/solid-oidc.js

@@ -17,6 +17,11 @@ import { validateExternalUrl } from '../utils/ssrf.js';
 const oidcConfigCache = new Map();
 const jwksCache = new Map();
 
+// Cache for DPoP jti values to prevent replay attacks
+// Stores { jti: timestamp } entries, cleaned periodically
+const dpopJtiCache = new Map();
+const JTI_CACHE_CLEANUP_INTERVAL = 60 * 1000; // Clean every minute
+
 // Cache TTL (15 minutes)
 const CACHE_TTL = 15 * 60 * 1000;
 
@@ -36,6 +41,42 @@ export function addTrustedIssuer(issuer) {
 // DPoP proof max age (5 minutes)
 const DPOP_MAX_AGE = 5 * 60;
 
+/**
+ * Clean expired jti entries from cache
+ * Called periodically to prevent memory growth
+ */
+function cleanupJtiCache() {
+  const now = Math.floor(Date.now() / 1000);
+  const expiredBefore = now - DPOP_MAX_AGE;
+
+  for (const [jti, timestamp] of dpopJtiCache.entries()) {
+    if (timestamp < expiredBefore) {
+      dpopJtiCache.delete(jti);
+    }
+  }
+}
+
+// Start periodic cleanup
+setInterval(cleanupJtiCache, JTI_CACHE_CLEANUP_INTERVAL);
+
+/**
+ * Check if a jti has been used (replay attack prevention)
+ * @param {string} jti - The jti claim from DPoP proof
+ * @returns {boolean} - true if jti was already used
+ */
+function isJtiUsed(jti) {
+  return dpopJtiCache.has(jti);
+}
+
+/**
+ * Record a jti as used
+ * @param {string} jti - The jti claim from DPoP proof
+ * @param {number} iat - The issued-at timestamp
+ */
+function recordJti(jti, iat) {
+  dpopJtiCache.set(jti, iat);
+}
+
 /**
  * Verify a Solid-OIDC request and extract WebID
  * @param {object} request - Fastify request object
@@ -175,11 +216,19 @@ async function verifyDpopProof(dpopProof, request, accessToken) {
       return { thumbprint: null, error: 'DPoP proof expired or invalid iat' };
     }
 
-    // jti: Unique identifier (we should track these to prevent replay, but skip for now)
+    // jti: Unique identifier - track to prevent replay attacks
     if (!payload.jti) {
       return { thumbprint: null, error: 'DPoP proof missing jti' };
     }
 
+    // Check for replay attack
+    if (isJtiUsed(payload.jti)) {
+      return { thumbprint: null, error: 'DPoP proof jti already used (replay attack prevented)' };
+    }
+
+    // Record jti to prevent future replay
+    recordJti(payload.jti, payload.iat);
+
     // ath: Access token hash (optional but recommended)
     if (payload.ath) {
       const expectedAth = await calculateAth(accessToken);

package/src/handlers/git.js

@@ -1,6 +1,7 @@
 import { spawn, execSync } from 'child_process';
 import { existsSync, statSync, mkdirSync, writeFileSync } from 'fs';
 import { join, resolve, dirname } from 'path';
+import { getDataRoot } from '../utils/url.js';
 
 /**
  * Check if a URL path is a Git protocol request
@@ -23,20 +24,41 @@ export function isGitWriteOperation(urlPath) {
 }
 
 /**
- * Extract the repository path from the URL
+ * Extract the repository path from the URL with path traversal protection
  * @param {string} urlPath - The URL path
  * @returns {string|null} The repository relative path or null
  */
 function extractRepoPath(urlPath) {
   // Remove git service suffixes to get the repo path
-  const cleanPath = urlPath
+  let cleanPath = urlPath
     .replace(/\/info\/refs.*$/, '')
     .replace(/\/git-upload-pack$/, '')
     .replace(/\/git-receive-pack$/, '');
 
-  // Remove leading slash, use '.' for root
-  const result = cleanPath.replace(/^\//, '');
-  return result === '' ? '.' : result;
+  // Remove leading slash
+  cleanPath = cleanPath.replace(/^\//, '');
+
+  // Security: remove path traversal attempts (multiple passes for ....// bypass)
+  let previous;
+  do {
+    previous = cleanPath;
+    cleanPath = cleanPath.replace(/\.\./g, '');
+  } while (cleanPath !== previous);
+
+  // Use '.' for root/empty path
+  return cleanPath === '' ? '.' : cleanPath;
+}
+
+/**
+ * Validate that a resolved path is within the data root
+ * @param {string} resolvedPath - Absolute path to validate
+ * @param {string} dataRoot - The data root directory
+ * @returns {boolean} - true if path is safe
+ */
+function isPathWithinDataRoot(resolvedPath, dataRoot) {
+  const normalizedRoot = resolve(dataRoot);
+  const normalizedPath = resolve(resolvedPath);
+  return normalizedPath.startsWith(normalizedRoot + '/') || normalizedPath === normalizedRoot;
 }
 
 /**
@@ -89,13 +111,18 @@ export async function handleGit(request, reply) {
   }
 
   // Handle subdomain mode
-  let dataRoot = process.env.DATA_ROOT || './data';
+  let dataRoot = getDataRoot();
   if (request.podName) {
     dataRoot = join(dataRoot, request.podName);
   }
 
   const repoAbs = resolve(dataRoot, repoRelative);
 
+  // Security: verify resolved path is within data root (path traversal protection)
+  if (!isPathWithinDataRoot(repoAbs, getDataRoot())) {
+    return reply.code(403).send({ error: 'Path traversal detected' });
+  }
+
   // Find git directory
   const gitInfo = findGitDir(repoAbs);
   if (!gitInfo) {

package/src/idp/interactions.js

@@ -376,6 +376,11 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters', null, inviteOnly));
   }
 
+  // Password strength validation
+  if (password.length < 8) {
+    return reply.type('text/html').send(registerPage(uid, 'Password must be at least 8 characters', null, inviteOnly));
+  }
+
   if (password !== confirmPassword) {
     return reply.type('text/html').send(registerPage(uid, 'Passwords do not match', null, inviteOnly));
   }

package/src/utils/ssrf.js

@@ -123,10 +123,15 @@ export async function validateExternalUrl(urlString, options = {}) {
         }
       }
     } catch (err) {
-      // DNS resolution failed - could be a legitimate issue or attacker trying to bypass
-      // For security, we'll allow it through but log a warning
-      // The fetch will fail anyway if the host doesn't resolve
-      console.warn(`DNS resolution failed for ${hostname}: ${err.message}`);
+      // DNS resolution failed - this could be an attacker attempting to bypass SSRF
+      // protection via DNS manipulation or timing attacks.
+      // Security: block the request rather than allowing it through
+      console.warn(`SSRF protection: DNS resolution failed for ${hostname}: ${err.message}`);
+      return {
+        valid: false,
+        error: `DNS resolution failed for hostname: ${hostname}`,
+        url: null
+      };
     }
   }
 

package/src/utils/url.js

@@ -65,8 +65,13 @@ export function urlToPathWithPod(urlPath, podName) {
     normalized = normalized.replace(/\.\./g, '');
   } while (normalized !== previous);
 
-  // Also sanitize podName
-  let safePodName = podName.replace(/\.\./g, '');
+  // Also sanitize podName (multiple passes for ....// bypass)
+  let safePodName = podName;
+  let previousPod;
+  do {
+    previousPod = safePodName;
+    safePodName = safePodName.replace(/\.\./g, '');
+  } while (safePodName !== previousPod);
 
   // Resolve to absolute path and verify it's within DATA_ROOT
   const dataRoot = path.resolve(getDataRoot());

package/src/wac/parser.js

@@ -4,6 +4,7 @@
  */
 
 import { turtleToJsonLd } from '../rdf/turtle.js';
+import { safeJsonParse } from '../utils/url.js';
 
 const ACL = 'http://www.w3.org/ns/auth/acl#';
 const FOAF = 'http://xmlns.com/foaf/0.1/';
@@ -35,9 +36,9 @@ export async function parseAcl(content, aclUrl) {
   if (typeof content === 'object' && content !== null) {
     doc = content;
   } else if (typeof content === 'string') {
-    // Try JSON-LD first
+    // Try JSON-LD first (with size limit for DoS protection)
     try {
-      doc = JSON.parse(content);
+      doc = safeJsonParse(content);
     } catch {
       // Not JSON, try Turtle
       try {